From 03c1b0e64f10466a9621ff0335365ae5b3c2ae81 Mon Sep 17 00:00:00 2001 From: wklken Date: Tue, 27 Jun 2023 15:00:57 +0800 Subject: [PATCH] feat(config): remove PASSWORD_UNENCRYPTED, use PASSWORD instead --- .../apigateway/apigateway/conf/.env.tpl | 7 ++--- .../apigateway/apigateway/conf/default.py | 31 ++++++------------- .../apigateway/apigateway/conf/unittest_env | 1 - src/esb/esb/conf/default.py | 17 +++------- 4 files changed, 17 insertions(+), 39 deletions(-) diff --git a/src/dashboard/apigateway/apigateway/conf/.env.tpl b/src/dashboard/apigateway/apigateway/conf/.env.tpl index 4221970b5..a27a67fcd 100644 --- a/src/dashboard/apigateway/apigateway/conf/.env.tpl +++ b/src/dashboard/apigateway/apigateway/conf/.env.tpl @@ -11,18 +11,15 @@ BK_APIGW_DATABASE_NAME="bk_apigateway" BK_APIGW_DATABASE_HOST="localhost" BK_APIGW_DATABASE_PORT=3306 BK_APIGW_DATABASE_USER="root" -BK_APIGW_DATABASE_PASSWORD_UNENCRYPTED="" +BK_APIGW_DATABASE_PASSWORD="" BK_ESB_DATABASE_NAME="bk_esb" BK_ESB_DATABASE_HOST="localhost" BK_ESB_DATABASE_PORT=3306 BK_ESB_DATABASE_USER="root" -BK_ESB_DATABASE_PASSWORD_UNENCRYPTED="" +BK_ESB_DATABASE_PASSWORD="" -# FIXME: can't only set unencrypted to empty, -# in default.py env.str("BK_APIGW_REDIS_PASSWORD_UNENCRYPTED", "") or sec_env.str("BK_APIGW_REDIS_PASSWORD") will check the password BK_APIGW_REDIS_PASSWORD="" -BK_APIGW_REDIS_PASSWORD_UNENCRYPTED="" # add the frontend domain, will add to CORS_ORIGIN_REGEX_WHITELIST DASHBOARD_FE_URL="http://apigw.example.com" \ No newline at end of file diff --git a/src/dashboard/apigateway/apigateway/conf/default.py b/src/dashboard/apigateway/apigateway/conf/default.py index 14c224292..8444ececc 100644 --- a/src/dashboard/apigateway/apigateway/conf/default.py +++ b/src/dashboard/apigateway/apigateway/conf/default.py @@ -33,7 +33,6 @@ from celery.schedules import crontab from tencent_apigateway_common.env import Env -from tencent_apigateway_common.secure.dj_environ import SecureEnv from apigateway.conf.celery_conf import * # noqa from apigateway.conf.celery_conf import CELERY_BEAT_SCHEDULE @@ -44,9 +43,6 @@ ENCRYPT_KEY = env.str("ENCRYPT_KEY") -sec_env = SecureEnv() -sec_env.set_secure_key(ENCRYPT_KEY) - # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) @@ -69,9 +65,6 @@ # use the same nonce, should not be changed at all!!!!!! CRYPTO_NONCE = env.str("BK_APIGW_CRYPTO_NONCE", "q76rE8srRuYM") -# 网关公钥,服务部分接口接入网关,配置此网关的公钥,以校验网关 jwt -APIGW_PUBLIC_KEY = sec_env.str("APIGW_PUBLIC_KEY", "") - # SECURITY WARNING: don't run with debug turned on in production! DEBUG = env.bool("DEBUG", False) @@ -234,7 +227,7 @@ # django translation, 避免循环引用 gettext = lambda s: s # noqa -# 站点URL +# 站点 URL SITE_URL = "/" # Static files (CSS, JavaScript, Images) @@ -290,8 +283,7 @@ "ENGINE": env.str("BK_APIGW_DATABASE_ENGINE", "django.db.backends.mysql"), "NAME": env.str("BK_APIGW_DATABASE_NAME", BK_APP_CODE), "USER": env.str("BK_APIGW_DATABASE_USER", BK_APP_CODE), - "PASSWORD": env.str("BK_APIGW_DATABASE_PASSWORD_UNENCRYPTED", "") - or sec_env.str("BK_APIGW_DATABASE_PASSWORD", ""), + "PASSWORD": env.str("BK_APIGW_DATABASE_PASSWORD", ""), "HOST": env.str("BK_APIGW_DATABASE_HOST", "localhost"), "PORT": env.int("BK_APIGW_DATABASE_PORT", 3306), "OPTIONS": { @@ -302,7 +294,7 @@ "ENGINE": env.str("BK_ESB_DATABASE_ENGINE", "django.db.backends.mysql"), "NAME": env.str("BK_ESB_DATABASE_NAME", "bk_esb"), "USER": env.str("BK_ESB_DATABASE_USER", BK_APP_CODE), - "PASSWORD": env.str("BK_ESB_DATABASE_PASSWORD_UNENCRYPTED", "") or sec_env.str("BK_ESB_DATABASE_PASSWORD", ""), + "PASSWORD": env.str("BK_ESB_DATABASE_PASSWORD", ""), "HOST": env.str("BK_ESB_DATABASE_HOST", "localhost"), "PORT": env.int("BK_ESB_DATABASE_PORT", 3306), "OPTIONS": { @@ -313,8 +305,7 @@ "ENGINE": env.str("BK_PAAS2_DATABASE_ENGINE", "django.db.backends.mysql"), "NAME": env.str("BK_PAAS2_DATABASE_NAME", ""), "USER": env.str("BK_PAAS2_DATABASE_USER", ""), - "PASSWORD": env.str("BK_PAAS2_DATABASE_PASSWORD_UNENCRYPTED", "") - or sec_env.str("BK_PAAS2_DATABASE_PASSWORD", ""), + "PASSWORD": env.str("BK_PAAS2_DATABASE_PASSWORD", ""), "HOST": env.str("BK_PAAS2_DATABASE_HOST", ""), "PORT": env.int("BK_PAAS2_DATABASE_PORT", 3306), "OPTIONS": { @@ -331,7 +322,7 @@ # redis 配置 REDIS_HOST = env.str("BK_APIGW_REDIS_HOST", "localhost") REDIS_PORT = env.int("BK_APIGW_REDIS_PORT", 6379) -REDIS_PASSWORD = env.str("BK_APIGW_REDIS_PASSWORD_UNENCRYPTED", "") or sec_env.str("BK_APIGW_REDIS_PASSWORD") +REDIS_PASSWORD = env.str("BK_APIGW_REDIS_PASSWORD", "") REDIS_PREFIX = env.str("BK_APIGW_REDIS_PREFIX", "apigw::") REDIS_MAX_CONNECTIONS = env.int("BK_APIGW_REDIS_MAX_CONNECTIONS", 100) REDIS_DB = env.int("BK_APIGW_REDIS_DB", 0) @@ -452,9 +443,7 @@ # Elasticsearch 配置 BK_APIGW_ES_USER = env.str("BK_APIGW_ES_USER", BK_APP_CODE) # 密码中可能包含特殊字符 -BK_APIGW_ES_PASSWORD = quote( - env.str("BK_APIGW_ES_PASSWORD_UNENCRYPTED", "") or sec_env.str("BK_APIGW_ES_PASSWORD", "") -) +BK_APIGW_ES_PASSWORD = quote(env.str("BK_APIGW_ES_PASSWORD", "")) BK_APIGW_ES_HOST = env.list("BK_APIGW_ES_HOST", default=[]) BK_APIGW_ES_PORT = env.str("BK_APIGW_ES_PORT", "9200") ELASTICSEARCH_HOSTS = [] @@ -483,7 +472,7 @@ "repository_url": env.str("DEFAULT_PYPI_REPOSITORY_URL", ""), "index_url": env.str("DEFAULT_PYPI_INDEX_URL", ""), "username": env.str("DEFAULT_PYPI_USERNAME", ""), - "password": env.str("DEFAULT_PYPI_PASSWORD_UNENCRYPTED", "") or sec_env.str("DEFAULT_PYPI_PASSWORD", ""), + "password": env.str("DEFAULT_PYPI_PASSWORD", ""), } } @@ -686,9 +675,9 @@ # 网关资源数量限制 MAX_STAGE_COUNT_PER_GATEWAY = env.int("MAX_STAGE_COUNT_PER_GATEWAY", 20) API_GATEWAY_RESOURCE_LIMITS = { - "max_gateway_count_per_app": env.int("MAX_GATEWAY_COUNT_PER_APP", 10), # 每个app最多创建的网关数量 - "max_resource_count_per_gateway": env.int("MAX_RESOURCE_COUNT_PER_GATEWAY", 1000), # 每个网关最多创建的api数量 - # 配置app的特殊规则 + "max_gateway_count_per_app": env.int("MAX_GATEWAY_COUNT_PER_APP", 10), # 每个 app 最多创建的网关数量 + "max_resource_count_per_gateway": env.int("MAX_RESOURCE_COUNT_PER_GATEWAY", 1000), # 每个网关最多创建的 api 数量 + # 配置 app 的特殊规则 "max_gateway_count_per_app_whitelist": { "bk_sops": 1000000, # 标准运维网关数量无限制 }, diff --git a/src/dashboard/apigateway/apigateway/conf/unittest_env b/src/dashboard/apigateway/apigateway/conf/unittest_env index 3277ebdd3..edd329b65 100644 --- a/src/dashboard/apigateway/apigateway/conf/unittest_env +++ b/src/dashboard/apigateway/apigateway/conf/unittest_env @@ -28,7 +28,6 @@ export BK_APIGW_REDIS_PORT="6378" export BK_APIGW_REDIS_PASSWORD="egrKq5TnJvlFiPLIrtquv3Mow792xVgTzqTiSrVkUIk=" export DEFAULT_TEST_APP_CODE="apigw-api-test" export DEFAULT_TEST_APP_SECRET="egrKq5TnJvlFiPLIrtquv3Mow792xVgTzqTiSrVkUIk=" -export APIGW_PUBLIC_KEY="egrKq5TnJvlFiPLIrtquv3Mow792xVgTzqTiSrVkUIk=" export BK_APIGW_ES_HOST="localhost" export BK_APIGW_ES_PASSWORD="egrKq5TnJvlFiPLIrtquv3Mow792xVgTzqTiSrVkUIk=" export DASHBOARD_CSRF_COOKIE_DOMAIN=".example.com" \ No newline at end of file diff --git a/src/esb/esb/conf/default.py b/src/esb/esb/conf/default.py index 36a6b9813..7219e9286 100644 --- a/src/esb/esb/conf/default.py +++ b/src/esb/esb/conf/default.py @@ -18,17 +18,11 @@ # import os -from tencent_apigateway_common.env import Env -from tencent_apigateway_common.secure.dj_environ import SecureEnv - from conf.log_utils import get_logging_config, makedirs_when_not_exists +from tencent_apigateway_common.env import Env env = Env() -sec_env = SecureEnv() -sec_env.set_secure_key(env.bytes("ENCRYPT_KEY")) - - BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # SECURITY WARNING: keep the secret key used in production secret! @@ -155,7 +149,7 @@ def _(s): "ENGINE": env.str("BK_ESB_DATABASE_ENGINE", "django.db.backends.mysql"), "NAME": env.str("BK_ESB_DATABASE_NAME"), "USER": env.str("BK_ESB_DATABASE_USER", ""), - "PASSWORD": env.str("BK_ESB_DATABASE_PASSWORD_UNENCRYPTED", "") or sec_env.str("BK_ESB_DATABASE_PASSWORD", ""), + "PASSWORD": env.str("BK_ESB_DATABASE_PASSWORD", ""), "HOST": env.str("BK_ESB_DATABASE_HOST", ""), "PORT": env.int("BK_ESB_DATABASE_PORT", 3306), "TEST_CHARSET": env.str("DATABASE_TEST_CHARSET", "utf8"), @@ -168,8 +162,7 @@ def _(s): "ENGINE": env.str("BK_PAAS2_DATABASE_ENGINE", "django.db.backends.mysql"), "NAME": env.str("BK_PAAS2_DATABASE_NAME", "open_paas"), "USER": env.str("BK_PAAS2_DATABASE_USER", ""), - "PASSWORD": env.str("BK_PAAS2_DATABASE_PASSWORD_UNENCRYPTED", "") - or sec_env.str("BK_PAAS2_DATABASE_PASSWORD", ""), + "PASSWORD": env.str("BK_PAAS2_DATABASE_PASSWORD", ""), "HOST": env.str("BK_PAAS2_DATABASE_HOST", ""), "PORT": env.int("BK_PAAS2_DATABASE_PORT", 3306), "TEST_CHARSET": env.str("DATABASE_TEST_CHARSET", "utf8"), @@ -256,7 +249,7 @@ def _(s): # host for job, default 80 for http/8443 for https HOST_JOB = env.str("BK_JOB_URL", "") -# JOB是否启用SSL验证 +# JOB 是否启用 SSL 验证 JOB_SSL = env.bool("JOB_SSL", True) # host for gse, default 80 for http/8443 for https @@ -276,7 +269,7 @@ def _(s): # host for gse config BK_GSE_CONFIG_ADDR = env.str("BK_GSE_CONFIG_URL", "") -# host for DATA,数据平台监控告警系统, default 80 for http/8443 for https +# host for DATA,数据平台监控告警系统,default 80 for http/8443 for https HOST_DATA = env.str("BK_DATA_URL", "") # host for DATA BKSQL service